Connolly pushing for new FedRAMP bill

Even though the federal government's program to evaluate and authorize cloud service providers' offerings has made significant strides, lawmakers are developing legislation that addresses weaknesses and gaps that still dog it.

Some of the companies that have gone through the often-lengthy Federal Risk and Authorization Management Program approval process told a House Committee and on Oversight and Reform subcommittee on July 17 that they're having difficulties understanding the approval process and getting agencies to accept approvals uniformly.

Those complaints have nagged FedRAMP since its inception, with companies saying the process was also too lengthy and costly.

Will Ackerly, CTO at startup Virtru, told Government Operations Subcommittee Chairman Gerry Connolly (D-Va.) that his company probably wouldn't have made it through the FedRAMP authorization process if not for advocates inside federal agencies who helped shepherd it through. It took 20 months to get the company's product through the approval cycle at a cost of $1.6 million, Ackerly said. Plus, Virtru still must spend $150,000 to $200,000 a year to maintain the certification, he said.

Those costs, time and confusion, Connolly said, are what FedRAMP was created to address. "What was supposed to be a six-month process costing $250,000 instead could take years and cost a company millions of dollars," he said.

Connolly, as well as vendors testifying at the hearing, commended FedRAMP on making significant progress. Nevertheless, said Connolly, new legislation is needed to define roles, including how FedRAMP's Joint Authorization Board (JAB) and agencies see each other's approvals, as well as other issues.

The JAB authority to operate should "be accepted at all [agency] windows," Connolly said, while agency ATOs might set some basic approval foundations that could be more readily reused by companies without starting each approval from scratch. That's not happening, he said.

Anil Cheriyan, deputy commissioner of the Federal Acquisition Service and director of the Technology Transformation Service at the General Services Administration, told the committee that FedRAMP has made significant progress. In fiscal 2018, he said, the government issued about 40 authorizations, including provisional ATOs. It took three years, he said, for the program to issue its first 40 ATOs.

Currently, he said, the government has authorized 143 cloud products from 115 companies, with 69 more ATOs coming.

Department of Health and Human Services CIO Jose Arrieta said FedRAMP has been key to his agency's move to make all of its data more transparent and useable, as well as a linchpin in the agency's IT modernization efforts.

Despite the successes, Connolly and Rep. Mark Meadows (R-N.C.) are drafting a bill with industry input that will instill some official discipline in the process.

The two introduced a FedRAMP reform bill last July, but it didn't get out of the House. The new bill is very similar to last year's.

"There will be legislation in your future," Connolly told witnesses at the hearing. "We're determined" to provide a legislative "anchor" for FedRAMP provisions, he said.

According to Connolly, the legislation now being drafted will codify and define the roles and responsibilities of federal agencies and third-party assessment organizations; address how to further reduce long approval times for vendor applicants, particularly small businesses; tackle the uneven application of vendors' ATOs across federal agencies; and set metrics on time, costs and assessment quality.